South Shore Hospital in Massachusetts announced yesterday that personal records of 800,000 individuals may be missing.  The hospital sent backup tapes to a contractor for destruction.   The contractor has informed the hospital that only a portion of the tapes have been received and destroyed, the rest of the tapes are missing.

According to the Boston Globe:

The hospital said the files contained information on patients, employees, physicians, volunteers, donors, and other business partners associated with South Shore between Jan. 1, 1996, and Jan. 6 of this year.

The files may have included names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, diagnoses, treatments relating to hospital and home health care visits, and other personal information.

My first reaction to this story is to ask “why weren’t the backup tapes encrypted”?  On the South Shore Hospital FAQ website they answer the question:

These particular back-up computer files were scheduled for destruction because they were in a format the hospital no longer uses and because the back-up process did not allow for these files to be encrypted. However, specialized software, hardware, and technical knowledge and skill would be required for someone to access and decipher the information.

In a story that makes you scratch your head, a missing CD with over 300,000 names of New Yorkers with developmental and other health issues has been missing for almost a month.

We have not been able to locate within our Early Intervention program unit one disc out of two discs that we received from New York City,” DOH spokeswoman Claudia Hutton said.”At this point, we have no reason to believe they’ve left the building.”

The contents of the disk were encrypted but unfortunately the encryption password may have been written on the outside of the disk.

Adding to concern is the fear that the disc’s password may be written on the outside, although Hutton said the disc is encrypted and could not be read without advanced technical skill.

 

Hutton conceded that putting the password on the disc was not a good idea and amounted to “sloppy housekeeping.”

Today USB drives (also known as flash drives and thumb drives), are common place.  They can store a lot of data, they are cheap and very easily transported.  A 2GB flash drive can be bought for $7.00 or less.  These drives give you the ability to carry documents, spreadsheets, pdf files and other data from one computer to another.  Unfortunately along with convenience comes security risks. 

An employee working on a document could copy it to a flash drive, bring it home and make modifications to the document.  The employee could then copy the document back to the flash drive and bring it to work in the morning and copy the revised document back to their computer or network drive.  Just as easy as it is to copy a document; an employee may copy a series of reports extracted out of an EMR,  a spreadsheet with a list of patient’s financial information, or a schedule of patients and demographics for the next week.   The employee may have all the best intentions of working on the information at home.  Now suppose that the employee misplaces the flash drive on the way home.  In addition, the data on USB drives are usually not encrypted.  The size of a flash drive is about the size of a house key and some drives attach right to a key chain.  We have all lost or misplaced keys and losing a flash drive is equally likely.  If the employee loses the flash drive then a practice is looking at a HIPAA security breach.  Along with the security breach may come fines, the cost and expense of breach notifications and the negative press that a practice may incur. 

Another security risk that may occur centers around viruses and spyware / malware.  The employee may bring home data to work on at night.  The employee’s home computer may be infected with a virus or have malware loaded on it.  When the employee saves the modified data it may also transfer a virus or malware back to the flash drive. The virus can then be transferred to a practice’s network when it is copied to the employee’s computer or network drive.

One way to prevent these type of security risks is to create a policy that prohibits the use of USB drives.  Unfortunately a USB drive is so small and easily concealed that an employee may ignore the policy.  Employees may ignore the policy not because they are intentionally stealing data but simply to bring work home in an effort to “catch-up” or finish a task. 

According to an article by Ars Technica, the National Security Agency (NSA) has developed a tool that will detect USB drives on internal computer networks. 

Although having strong IT security policies can help reduce the risks, it’s not always easy to enforce such policies. The NSA built a tool, called USBDetect, that is designed to help government agencies track the usage of USB storage devices on their internal networks. The tool is not publicly available, but is briefly described in a section of the NSA’s 2011 budget proposal, which was highlighted yesterday by NextGov defense technology blogger Bob Brewin.

“A Computer Network Defense Tool developed by NSA, USBDetect 3.0, is available to U.S. Government (USG) users free of charge. USBDetect gathers data (locally or on a network) from personal computers running Microsoft Windows 2000 or later operating systems, and reports unauthorized usage of Universal Serial Bus (USB) thumb (a.k.a. flash) drives, external hard drives, compact disk drives, and other storage devices,” the budget proposal says. “The USBDetect tool provides USG network administrators and system security officials with an automated capability to detect the introduction of USB storage devices into their networks.”

As noted in the article the NSA tool is only available to government agencies and not commercially available.

There are commercial programs that will disable the use of USB drives.  The program makes a USB drive inaccessible and therefore prevents data from being copied to and from the USB drive.  Unfortunately this adds administrative overhead because some employees have legitimate needs to use USB drives including copying non-patient information data, presentations, etc. 

The purpose of this post is to highlight the security risks associated with USB drives.  The need for policies preventing the copying of patient information are required.  In addition there is a need for employee training and alerts to potential dangers associated with USB drives.  There are technologies that can help guard against the security risks but they present a different set of issues and administrative overhead.

A break-in at a Mall has cost BlueCross BlueShield of Tennessee $7 million and counting. As noted in this Newsweek article:

On Oct. 2, someone stole 57 hard drives from a closet at the health insurance company’s training center in Chattanooga’s Eastgate Town Center mall. The drives contained recordings of more than 1 million customer support calls, totalling 50,000 hours of conversation. There were also 300,000 screen shots, showing what BlueCross representatives had on their computer monitors at the time some of the calls were made.

In most of the calls, subscribers provided their BlueCross ID number, name and date of birth — not enough information for criminals to pull off an identity theft scam. But in some calls, Medicare subscribers provided what’s known as a Health Insurance Claim (HIC) number, which contains the subscriber’s Social Security number. Many of the screen shots also include Social Security numbers, and that information can be used in identity theft.

An attorney from BlueCross said in a letter to the Maryland attorney general that the data on the hard drives were encoded but not encrypted.  Encrypted data would need the passcode or key to decrypt /unencrypt and read the data.

Over the past five months, the company has employed a small army of workers to sort through the aftermath of what has proved to be a large and complex breach. Late last year, BlueCross and forensics company Kroll OnTrack employed 500 full-time workers and 300 part-time employees, working in two shifts, six days a week, to piece together what happened

So for the past five months, BlueCross has been sorting out which of its 3 million customers to notify of the breach. “Unfortunately, after checking with numerous vendors throughout the country, an electronic solution could not be formulated, and a largely manual review of audio and video files has been necessary,” BlueCross said in the letter, dated Dec. 16.

“We made the decision that there is really no substitute for actually manually going through it and looking at the video screens or listening to the audio,” said Roy Vaughn, a BlueCross BlueShield of Tennessee spokesman. “It has to be reviewed.”

The costs keep tallying up:

The process has cost more than US$7 million so far, and it will be several months more before the notification effort is concluded, Vaughn said.

The HITECH Act requires media and regulatory notifications.  In the letter to the Maryland attorney general they mention:

The HITECH Act requires that we provide media notice to any jurisdiction where over 500 members may reside; therefore, we are also notifying all Attorneys General in these states so they may also be aware of our activities and could address questions they may receive from our members who reside in their states

A few points to think about regarding this incident are:

1. This did not occur at the BlueCross headquarters but at a rented location.  So no matter how much they secured their offices and network, a HIPAA security breach still occurred.
2. Data that leaves your headquarters, office or building that is on a laptop, desktop, USB drive, smartphone, etc and that is not encrypted is a liability waiting to happen. 
3. HIPAA and HITECH data breaches can be extremely costly not only from a HIPAA fine perspective but from the manpower and wasted productivity required to react to the data breach.

If you haven’t heard about HIPAA yet, you probably have been living under a rock.  If you ask most people about HIPAA, patients and practice staff alike, you will probably get responses back concerning the privacy and protection of health information.  Most practices have implemented the basic required steps to protect patient privacy.  Two of the most common requirements include HIPAA privacy notices that patients are required to sign, and publicly available HIPAA privacy policies.  However, as more and more practices are moving towards electronic health records systems (EHRs), there is a more complex side of HIPAA that many small, midsize and even large practices may not have focused on – the HIPAA Security Rule.

I plan on future articles that go into the HIPAA Security Rule much more in-depth but for now let’s look at the Security Rule at a high level.  The HIPAA Security Rule requires that practices put in place policies and procedures to ensure that electronic protected health information (EPHI) is properly protected.   A good comparison regarding EPHI between the HIPAA Privacy Rule and the Security Rule is stated in the Centers for Medicare & Medicaid Services (CMS) Security 101 for Covered Entities:

Electronic vs. oral and paper: It is important to note that the Privacy Rule applies to all forms of patients’ protected health information, whether electronic, written, or oral. In contrast, the Security Rule covers only protected health information that is in electronic form. This includes EPHI that is created, received, maintained or transmitted. For example, EPHI may be transmitted over the Internet, stored on a computer, a CD, a disk, magnetic tape, or other related means. The Security Rule does not cover PHI that is transmitted or stored on paper or provided orally.

There are three main parts of the HIPAA Security Rule as defined by CMS for small providers:

1. Administrative Safeguards – These provisions are defined in the Security Rule as the “administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
2. Physical Safeguards – These provisions are defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
3. Technical Safeguards – These provisions are defined as the “technology and the policy and procedures that protect electronic protected health information and control access to it (the EPHI).”

As I mentioned, I plan on drilling down into each of the main parts of the Security Rule.  For a very good overview from CMS, take a look at the Security Standards: Implementation for the Small Provider document.  The document goes into further detail of each of the three parts and provides questions and examples to help you better understand the concepts and principles.